About
Huntress provides managed security services that protect your business from cyber threats. They use automation and human monitoring to detect suspicious activity patterns on your accounts.
Their purpose-built solutions platform includes managed EDR, managed ITDR, security awareness training and managed SIEM.
Find out how Huntress recently supported our engineers in stopping a cyber threat.
Huntress created an alert from the first unexpected login from Nigeria. This raised a ticket with our Service Desk team, who began investigating immediately. Based on the alert from Huntress, our engineers initiate an account lockout using Huntress.
Challenge
One afternoon, a malicious email was sent to two staff members within an organisation. The email appeared to be from another organisation they had worked with. However, this was a spoof. It is likely the ‘senders’ mailbox had been breached.
The email contained a link to a SharePoint site to access a document. The link took the users to a login page asking them to login to access the document.
The users clicked on the link. One user, after seeing the login page, closed it immediately. The other user, unable to remember their password, entered a few variations without success – according to the webpage.
It is believed the correct password was entered initially, but the page was scripted to show it as incorrect – giving the hackers more time. At this point, they had the login details, all that was needed was to bypass multi-factor authentication.
As the user entered various password attempts, the hackers stole the user’s login session token from the browser.
Token theft is when a hacker steals and replays a token issued to a user. For example, stealing the cookies that allow a recognised browser to bypass multi-factor authentication on login. The authentication requirements are met, and access can be granted.
The account was then accessed from multiple locations including Nigeria and Paris. Two emails were sent to two contacts. This is likely to have been an attempt to notify an external party that the account had been breached.
An inbox rule was then created to mark as read and delete any incoming emails from the sender of the original malicious email. This was an attempt to stop any notification that the account had been breached.
Solution
Huntress created an alert from the first unexpected login from Nigeria. This raised a ticket with our Service Desk team, who began investigating immediately.
Based on the alert from Huntress, our engineers initiate an account lockout using Huntress.
Huntress focuses on behavioural analysis to detect these types of breaches. Noticing the pattern of login locations, Huntress was able to step in and alert our team.
Following this, our engineers begin remediation of the account to collect audit logs, revoke multi-factor authentication methods and reset the password for the breached account.
From the log, we were able to gather the information stated in the incident. We created a URL block for the link on the original email and began remediating the other account that clicked on the malicious email link.
Once remediation was complete and we were satisfied the account was protected, we allowed the user access to their account.
Result
Thanks to the automated behaviour monitoring by Huntress, we were able to lockout the hacker from the users accounts before any damage was caused.
The user had minimal downtime, and the company experienced no loss or ransom of data.
